andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1628 from cmurphy/airgap-registry 

Bump charts for registry fix
pull/1633/head
Colleen Murphy 2021-11-19 17:55:12 -08:00 committed by GitHub
parent c3555b438c da05d93445
commit a3b21064f9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
66 changed files with 1576 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/rancher-external-ip-webhook/rancher-external-ip-webhook-100.0.1+up1.0.1-rc2.tgz
View File

Binary file not shown.

BIN
assets/rancher-external-ip-webhook/rancher-external-ip-webhook-100.0.1+up1.0.1-rc3.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-sriov/sriov-100.0.1+up0.1.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-sriov/sriov-crd-100.0.1+up0.1.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/system-upgrade-controller/system-upgrade-controller-100.0.2+up0.3.2.tgz Normal file
View File

Binary file not shown.

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/.helmignore → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/.helmignore
View File

4
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/Chart.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/Chart.yaml
View File

@ -7,7 +7,7 @@ annotations:
catalog.cattle.io/release-name: rancher-external-ip-webhook
catalog.cattle.io/ui-component: rancher-external-ip-webhook
apiVersion: v1
appVersion: v1.0.1-rc2
appVersion: v1.0.1-rc3
description: |
Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554
home: https://github.com/rancher/externalip-webhook
@ -23,4 +23,4 @@ maintainers:
name: rancher-external-ip-webhook
sources:
- https://github.com/rancher/externalip-webhook
version: 100.0.1+up1.0.1-rc2
version: 100.0.1+up1.0.1-rc3

2
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/README.md → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/README.md
View File

@ -28,7 +28,7 @@ The following table lists the configurable parameters of the externalip-webhook
| `certificates.certManager.enabled` | Enable cert manager integration. Cert manager should be already installed at the k8s cluster | `true` |
| `certificates.certManager.version` | Cert manager version to use | `""` |
| `certificates.secretName` | If cert-manager integration is disabled, upload certs data (ca.crt, tls.crt & tls.key) as k8s secretName in the namespace | `"webhook-server-cert"` |
| `global.systemDefaultRegistry` | Pull docker images from systemDefaultRegistry | `""` |
| `global.cattle.systemDefaultRegistry`| Pull docker images from systemDefaultRegistry | `""` |
| `image.pullPolicy` | Webhook server docker pull policy | `"IfNotPresent"` |
| `image.pullSecrets` | Webhook server docker pull secret | `""` |
| `image.repository` | Webhook server docker image repository | `"rancher/externalip-webhook"` |

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/app-README.md → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/app-README.md
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/questions.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/questions.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/templates/NOTES.txt → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/templates/NOTES.txt
View File

6
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/templates/_helpers.tpl → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/templates/_helpers.tpl
View File

@ -42,9 +42,9 @@ kubernetes.io/os: linux
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}
{{- end -}}

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/templates/admissionregistration.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/templates/admissionregistration.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/templates/clusterrole.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/templates/clusterrole.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/templates/clusterrolebinding.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/templates/clusterrolebinding.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/templates/deployment.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/templates/deployment.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/templates/issuer.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/templates/issuer.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/templates/service.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/templates/service.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/templates/serviceaccount.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/templates/serviceaccount.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/templates/servicemonitor.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/templates/servicemonitor.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/tests/admissionregistration_test.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/tests/admissionregistration_test.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/tests/clusterrole_test.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/tests/clusterrole_test.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/tests/clusterrolebinding_test.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/tests/clusterrolebinding_test.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/tests/deployment_test.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/tests/deployment_test.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/tests/issuer_test.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/tests/issuer_test.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/tests/service_test.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/tests/service_test.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/tests/serviceaccount_test.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/tests/serviceaccount_test.yaml
View File

0
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/tests/servicemonitor_test.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/tests/servicemonitor_test.yaml
View File

5
charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc2/values.yaml → charts/rancher-external-ip-webhook/rancher-external-ip-webhook/100.0.1+up1.0.1-rc3/values.yaml
View File

@ -15,7 +15,7 @@ image:
pullPolicy: IfNotPresent
pullSecrets: []
repository: rancher/externalip-webhook
tag: v1.0.1-rc2
tag: v1.0.1-rc3
## Enabling metrics endpoint
# Webhook emits `webhook_failed_request_count` metrics whenever it rejects service creation or update operation
metrics:
@ -64,4 +64,5 @@ tolerations: []
## Webhook server pod port
webhookPort: 9443
global:
systemDefaultRegistry: ""
cattle:
systemDefaultRegistry: ""

11
charts/rancher-sriov/sriov-crd/100.0.1+up0.1.0/Chart.yaml Normal file
View File

@ -0,0 +1,11 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/experimental: "true"
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-sriov-system
catalog.cattle.io/release-name: sriov-crd
apiVersion: v2
description: Installs the CRDs for rke2-sriov.
name: sriov-crd
type: application
version: 100.0.1+up0.1.0

79
charts/rancher-sriov/sriov-crd/100.0.1+up0.1.0/templates/sriovnetwork.openshift.io_sriovibnetworks.yaml Normal file
View File

@ -0,0 +1,79 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
name: sriovibnetworks.sriovnetwork.openshift.io
spec:
group: sriovnetwork.openshift.io
names:
kind: SriovIBNetwork
listKind: SriovIBNetworkList
plural: sriovibnetworks
singular: sriovibnetwork
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: SriovIBNetwork is the Schema for the sriovibnetworks API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SriovIBNetworkSpec defines the desired state of SriovIBNetwork
properties:
capabilities:
description: 'Capabilities to be configured for this network. Capabilities
supported: (infinibandGUID), e.g. ''{"infinibandGUID": true}'''
type: string
ipam:
description: IPAM configuration to be used for this network.
type: string
linkState:
description: VF link state (enable|disable|auto)
enum:
- auto
- enable
- disable
type: string
metaPlugins:
description: MetaPluginsConfig configuration to be used in order to
chain metaplugins to the sriov interface returned by the operator.
type: string
networkNamespace:
description: Namespace of the NetworkAttachmentDefinition custom resource
type: string
resourceName:
description: SRIOV Network device plugin endpoint resource name
type: string
required:
- resourceName
type: object
status:
description: SriovIBNetworkStatus defines the observed state of SriovIBNetwork
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

133
charts/rancher-sriov/sriov-crd/100.0.1+up0.1.0/templates/sriovnetwork.openshift.io_sriovnetworknodepolicies.yaml Normal file
View File

@ -0,0 +1,133 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
name: sriovnetworknodepolicies.sriovnetwork.openshift.io
spec:
group: sriovnetwork.openshift.io
names:
kind: SriovNetworkNodePolicy
listKind: SriovNetworkNodePolicyList
plural: sriovnetworknodepolicies
singular: sriovnetworknodepolicy
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: SriovNetworkNodePolicy is the Schema for the sriovnetworknodepolicies
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SriovNetworkNodePolicySpec defines the desired state of SriovNetworkNodePolicy
properties:
deviceType:
description: The driver type for configured VFs. Allowed value "netdevice",
"vfio-pci". Defaults to netdevice.
enum:
- netdevice
- vfio-pci
type: string
eSwitchMode:
description: NIC Device Mode. Allowed value "legacy","switchdev".
enum:
- legacy
- switchdev
type: string
isRdma:
description: RDMA mode. Defaults to false.
type: boolean
linkType:
description: NIC Link Type. Allowed value "eth", "ETH", "ib", and
"IB".
enum:
- eth
- ETH
- ib
- IB
type: string
mtu:
description: MTU of VF
minimum: 1
type: integer
nicSelector:
description: NicSelector selects the NICs to be configured
properties:
deviceID:
description: The device hex code of SR-IoV device. Allowed value
"0d58", "1572", "158b", "1013", "1015", "1017", "101b".
type: string
netFilter:
description: Infrastructure Networking selection filter. Allowed
value "openstack/NetworkID:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
type: string
pfNames:
description: Name of SR-IoV PF.
items:
type: string
type: array
rootDevices:
description: PCI address of SR-IoV PF.
items:
type: string
type: array
vendor:
description: The vendor hex code of SR-IoV device. Allowed value
"8086", "15b3".
type: string
type: object
nodeSelector:
additionalProperties:
type: string
description: NodeSelector selects the nodes to be configured
type: object
numVfs:
description: Number of VFs for each PF
minimum: 0
type: integer
priority:
description: Priority of the policy, higher priority policies can
override lower ones.
maximum: 99
minimum: 0
type: integer
resourceName:
description: SRIOV Network device plugin endpoint resource name
type: string
required:
- nicSelector
- nodeSelector
- numVfs
- resourceName
type: object
status:
description: SriovNetworkNodePolicyStatus defines the observed state of
SriovNetworkNodePolicy
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

155
charts/rancher-sriov/sriov-crd/100.0.1+up0.1.0/templates/sriovnetwork.openshift.io_sriovnetworknodestates.yaml Normal file
View File

@ -0,0 +1,155 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
name: sriovnetworknodestates.sriovnetwork.openshift.io
spec:
group: sriovnetwork.openshift.io
names:
kind: SriovNetworkNodeState
listKind: SriovNetworkNodeStateList
plural: sriovnetworknodestates
singular: sriovnetworknodestate
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: SriovNetworkNodeState is the Schema for the sriovnetworknodestates
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SriovNetworkNodeStateSpec defines the desired state of SriovNetworkNodeState
properties:
dpConfigVersion:
type: string
interfaces:
items:
properties:
eSwitchMode:
type: string
linkType:
type: string
mtu:
type: integer
name:
type: string
numVfs:
type: integer
pciAddress:
type: string
vfGroups:
items:
properties:
deviceType:
type: string
policyName:
type: string
resourceName:
type: string
vfRange:
type: string
type: object
type: array
required:
- pciAddress
type: object
type: array
type: object
status:
description: SriovNetworkNodeStateStatus defines the observed state of
SriovNetworkNodeState
properties:
interfaces:
items:
properties:
Vfs:
items:
properties:
Vlan:
type: integer
assigned:
type: string
deviceID:
type: string
driver:
type: string
mac:
type: string
mtu:
type: integer
name:
type: string
pciAddress:
type: string
vendor:
type: string
vfID:
type: integer
required:
- pciAddress
- vfID
type: object
type: array
deviceID:
type: string
driver:
type: string
eSwitchMode:
type: string
linkSpeed:
type: string
linkType:
type: string
mac:
type: string
mtu:
type: integer
name:
type: string
netFilter:
type: string
numVfs:
type: integer
pciAddress:
type: string
totalvfs:
type: integer
vendor:
type: string
required:
- pciAddress
type: object
type: array
lastSyncError:
type: string
syncStatus:
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

111
charts/rancher-sriov/sriov-crd/100.0.1+up0.1.0/templates/sriovnetwork.openshift.io_sriovnetworks.yaml Normal file
View File

@ -0,0 +1,111 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
name: sriovnetworks.sriovnetwork.openshift.io
spec:
group: sriovnetwork.openshift.io
names:
kind: SriovNetwork
listKind: SriovNetworkList
plural: sriovnetworks
singular: sriovnetwork
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: SriovNetwork is the Schema for the sriovnetworks API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SriovNetworkSpec defines the desired state of SriovNetwork
properties:
capabilities:
description: 'Capabilities to be configured for this network. Capabilities
supported: (mac|ips), e.g. ''{"mac": true}'''
type: string
ipam:
description: IPAM configuration to be used for this network.
type: string
linkState:
description: VF link state (enable|disable|auto)
enum:
- auto
- enable
- disable
type: string
maxTxRate:
description: Maximum tx rate, in Mbps, for the VF. Defaults to 0 (no
rate limiting)
minimum: 0
type: integer
metaPlugins:
description: MetaPluginsConfig configuration to be used in order to
chain metaplugins to the sriov interface returned by the operator.
type: string
minTxRate:
description: Minimum tx rate, in Mbps, for the VF. Defaults to 0 (no
rate limiting). min_tx_rate should be <= max_tx_rate.
minimum: 0
type: integer
networkNamespace:
description: Namespace of the NetworkAttachmentDefinition custom resource
type: string
resourceName:
description: SRIOV Network device plugin endpoint resource name
type: string
spoofChk:
description: VF spoof check, (on|off)
enum:
- "on"
- "off"
type: string
trust:
description: VF trust mode (on|off)
enum:
- "on"
- "off"
type: string
vlan:
description: VLAN ID to assign for the VF. Defaults to 0.
maximum: 4096
minimum: 0
type: integer
vlanQoS:
description: VLAN QoS ID to assign for the VF. Defaults to 0.
maximum: 7
minimum: 0
type: integer
required:
- resourceName
type: object
status:
description: SriovNetworkStatus defines the observed state of SriovNetwork
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

91
charts/rancher-sriov/sriov-crd/100.0.1+up0.1.0/templates/sriovnetwork.openshift.io_sriovoperatorconfigs.yaml Normal file
View File

@ -0,0 +1,91 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
creationTimestamp: null
name: sriovoperatorconfigs.sriovnetwork.openshift.io
spec:
group: sriovnetwork.openshift.io
names:
kind: SriovOperatorConfig
listKind: SriovOperatorConfigList
plural: sriovoperatorconfigs
singular: sriovoperatorconfig
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: SriovOperatorConfig is the Schema for the sriovoperatorconfigs
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SriovOperatorConfigSpec defines the desired state of SriovOperatorConfig
properties:
configDaemonNodeSelector:
additionalProperties:
type: string
description: NodeSelector selects the nodes to be configured
type: object
disableDrain:
description: Flag to disable nodes drain during debugging
type: boolean
enableInjector:
description: Flag to control whether the network resource injector
webhook shall be deployed
type: boolean
enableOperatorWebhook:
description: Flag to control whether the operator admission controller
webhook shall be deployed
type: boolean
enableOvsOffload:
description: Flag to enable OVS hardware offload. Set to 'true' to
provision switchdev-configuration.service and enable OpenvSwitch
hw-offload on nodes.
type: boolean
logLevel:
description: Flag to control the log verbose level of the operator.
Set to '0' to show only the basic logs. And set to '2' to show all
the available logs.
maximum: 2
minimum: 0
type: integer
type: object
status:
description: SriovOperatorConfigStatus defines the observed state of SriovOperatorConfig
properties:
injector:
description: Show the runtime status of the network resource injector
webhook
type: string
operatorWebhook:
description: Show the runtime status of the operator admission controller
webhook
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

23
charts/rancher-sriov/sriov/100.0.1+up0.1.0/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

25
charts/rancher-sriov/sriov/100.0.1+up0.1.0/Chart.yaml Normal file
View File

@ -0,0 +1,25 @@
annotations:
catalog.cattle.io/auto-install: sriov-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/experimental: "true"
catalog.cattle.io/namespace: cattle-sriov-system
catalog.cattle.io/os: linux
catalog.cattle.io/release-name: sriov
apiVersion: v2
appVersion: 1.0.0
description: SR-IOV network operator configures and manages SR-IOV networks in the
kubernetes cluster
home: https://github.com/k8snetworkplumbingwg/sriov-network-operator
icon: https://charts.rancher.io/assets/logos/sr-iov.svg
keywords:
- sriov
- Networking
kubeVersion: '>= 1.16.0-0'
maintainers:
- email: charts@rancher.com
name: Rancher Labs
name: sriov
sources:
- https://github.com/rancher/charts
type: application
version: 100.0.1+up0.1.0

73
charts/rancher-sriov/sriov/100.0.1+up0.1.0/README.md Normal file
View File

@ -0,0 +1,73 @@
# SR-IOV Network Operator Helm Chart
SR-IOV Network Operator Helm Chart provides an easy way to install, configure and manage
the lifecycle of SR-IOV network operator.
## SR-IOV Network Operator
SR-IOV Network Operator leverages [Kubernetes CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
and [Operator SDK](https://github.com/operator-framework/operator-sdk) to configure and manage SR-IOV networks in a Kubernetes cluster.
SR-IOV Network Operator features:
- Initialize the supported SR-IOV NIC types on selected nodes.
- Provision/upgrade SR-IOV device plugin executable on selected node.
- Provision/upgrade SR-IOV CNI plugin executable on selected nodes.
- Manage configuration of SR-IOV device plugin on host.
- Generate net-att-def CRs for SR-IOV CNI plugin
- Supports operation in a virtualized Kubernetes deployment
- Discovers VFs attached to the Virtual Machine (VM)
- Does not require attached of associated PFs
- VFs can be associated to SriovNetworks by selecting the appropriate PciAddress as the RootDevice in the SriovNetworkNodePolicy
## QuickStart
### Prerequisites
- Kubernetes v1.17+
- Helm v3
### Install Helm
Helm provides an install script to copy helm binary to your system:
```
$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
$ chmod 500 get_helm.sh
$ ./get_helm.sh
```
For additional information and methods for installing Helm, refer to the official [helm website](https://helm.sh/)
### Deploy SR-IOV Network Operator
```
# Install Operator
$ helm install -n sriov-network-operator --create-namespace --wait sriov-network-operator ./
# View deployed resources
$ kubectl -n sriov-network-operator get pods
```
## Chart parameters
In order to tailor the deployment of the network operator to your cluster needs
We have introduced the following Chart parameters.
### Operator parameters
| Name | Type | Default | description |
| ---- | ---- | ------- | ----------- |
| `operator.resourcePrefix` | string | `openshift.io` | Device plugin resource prefix |
| `operator.enableAdmissionController` | bool | `false` | Enable SR-IOV network resource injector and operator webhook |
| `operator.cniBinPath` | string | `/opt/cni/bin` | Path for CNI binary |
| `operator.clusterType` | string | `kubernetes` | Cluster environment type |
### Images parameters
| Name | description |
| ---- | ----------- |
| `images.operator` | Operator controller image |
| `images.sriovConfigDaemon` | Daemon node agent image |
| `images.sriovCni` | SR-IOV CNI image |
| `images.ibSriovCni` | InfiniBand SR-IOV CNI image |
| `images.sriovDevicePlugin` | SR-IOV device plugin image |
| `images.resourcesInjector` | Resources Injector image |
| `images.webhook` | Operator Webhook image |

13
charts/rancher-sriov/sriov/100.0.1+up0.1.0/app-README.md Normal file
View File

@ -0,0 +1,13 @@
# Rancher SR-IOV Network Operator
This chart is based on the upstream [k8snetworkplumbingwg/sriov-network-operator](https://github.com/k8snetworkplumbingwg/sriov-network-operator) project. The chart deploys the SR-IOV Operator and its CRDs, which are designed to help the user provision and configure the SR-IOV CNI in a cluster that uses [Multus CNI](https://github.com/k8snetworkplumbingwg/multus-cni), to provide high performing extra network interfaces to pods. This chart is expected to be deployed on an RKE2 cluster and only meant for advanced use cases where multiple CNI plugins and high performing network interfaces on pods are required. Users who do not need these features are not advised to install this chart.
The chart installs the following components:
- SR-IOV Operator - An operator that helps provision and configure the SR-IOV CNI plugin and SR-IOV Device plugin
- SR-IOV Network Config Daemon - A Daemon deployed by the Operator that discovers SR-IOV NICs on each node
Note that SR-IOV requires NICs that support SR-IOV and the activation of specific configuration options in the operating system. Nodes that fulfill these requirements should be labeled with: `feature.node.kubernetes.io/network-sriov.capable=true`.
The SR-IOV Network Config Daemon will be deployed on such capable nodes. For more information on how to use this feature, refer to our RKE2 networking docs.

17
charts/rancher-sriov/sriov/100.0.1+up0.1.0/templates/NOTES.txt Normal file
View File

@ -0,0 +1,17 @@
Get Network Operator deployed resources by running the following commands:
$ kubectl -n {{ .Release.Namespace }} get pods
For additional instructions on how to use SR-IOV network operator,
refer to: https://github.com/k8snetworkplumbingwg/sriov-network-operator
{{- if .Values.operator.enableAdmissionController }}
{{- if not .Values.cert_manager }}
Thank you for installing {{ .Chart.Name }}.
WARNING! Self signed certificates have been generated for webhooks.
These certificates have a one-year validity and will not be rotated
automatically. This should not be a production cluster. Please deploy
and use cert-manager for production clusters.
{{- end }}
{{- end }}

70
charts/rancher-sriov/sriov/100.0.1+up0.1.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,70 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "sriov-network-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "sriov-network-operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "sriov-network-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "sriov-network-operator.labels" -}}
helm.sh/chart: {{ include "sriov-network-operator.chart" . }}
{{ include "sriov-network-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "sriov-network-operator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "sriov-network-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "sriov-network-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "sriov-network-operator.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}

31
charts/rancher-sriov/sriov/100.0.1+up0.1.0/templates/_webhook-certs.tpl Normal file
View File

@ -0,0 +1,31 @@
{{/*
Generate TLS certificates for webhooks.
Note: these 2 lines, that are repeated several times below, are a trick to
ensure the CA certs are generated only once:
$ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365)
$_ := set . "ca" $ca
Please, don't try to "simplify" them as without this trick, every generated
certificate would be signed by a different CA.
*/}}
{{- define "sriov_operator_ca_cert" }}
{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}}
{{- $_ := set . "ca" $ca -}}
{{- printf "%s" $ca.Cert | b64enc -}}
{{- end }}
{{- define "sriov_operator_cert" }}
{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}}
{{- $_ := set . "ca" $ca -}}
{{- $cn := printf "operator-webhook-service.%s.svc" .Release.Namespace -}}
{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}}
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}
{{- end }}
{{- define "sriov_resource_injector_cert" }}
{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}}
{{- $_ := set . "ca" $ca -}}
{{- $cn := printf "network-resources-injector-service.%s.svc" .Release.Namespace -}}
{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}}
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}
{{- end }}

41
charts/rancher-sriov/sriov/100.0.1+up0.1.0/templates/certmanagercerts.yaml Normal file
View File

@ -0,0 +1,41 @@
{{- if and (.Values.operator.enableAdmissionController) (.Values.cert_manager) -}}
{{- if not (.Capabilities.APIVersions.Has "cert-manager.io/v1") -}}
{{- required "cert-manager is required but not found" "" -}}
{{- end -}}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: sriov-network-operator-selfsigned-issuer
namespace: {{ .Release.Namespace }}
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: operator-webhook-service
namespace: {{ .Release.Namespace }}
spec:
secretName: operator-webhook-service
dnsNames:
- operator-webhook-service.{{ .Release.Namespace }}.svc
issuerRef:
name: sriov-network-operator-selfsigned-issuer
privateKey:
rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: network-resources-injector-service
namespace: {{ .Release.Namespace }}
spec:
secretName: network-resources-injector-secret
dnsNames:
- network-resources-injector-service.{{ .Release.Namespace }}.svc
issuerRef:
name: sriov-network-operator-selfsigned-issuer
privateKey:
rotationPolicy: Always
{{- end -}}

106
charts/rancher-sriov/sriov/100.0.1+up0.1.0/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,106 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "sriov-network-operator.fullname" . }}
labels:
{{- include "sriov-network-operator.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["get"]
- apiGroups: [""]
resources: ["namespaces", "serviceaccounts"]
verbs: ["*"]
- apiGroups: ["k8s.cni.cncf.io"]
resources: ["network-attachment-definitions"]
verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles", "clusterrolebindings"]
verbs: ["*"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
verbs: ["*"]
- apiGroups: ["sriovnetwork.openshift.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["machineconfiguration.openshift.io"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sriov-network-config-daemon
labels:
{{- include "sriov-network-operator.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["daemonsets"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/eviction"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sriov-admin
{{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- end }}
rules:
- apiGroups:
- sriovnetwork.openshift.io
resources:
- '*'
verbs:
- "get"
- "watch"
- "list"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sriov-edit
{{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
rbac.authorization.k8s.io/aggregate-to-edit: "true"
{{- end }}
rules:
- apiGroups:
- sriovnetwork.openshift.io
resources:
- '*'
verbs:
- "get"
- "watch"
- "list"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sriov-view
{{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
{{- end }}
rules:
- apiGroups:
- sriovnetwork.openshift.io
resources:
- '*'
verbs:
- "get"
- "watch"
- "list"

29
charts/rancher-sriov/sriov/100.0.1+up0.1.0/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "sriov-network-operator.fullname" . }}
labels:
{{- include "sriov-network-operator.labels" . | nindent 4 }}
roleRef:
kind: ClusterRole
name: {{ include "sriov-network-operator.fullname" . }}
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
namespace: {{ .Release.Namespace }}
name: {{ include "sriov-network-operator.fullname" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: sriov-network-config-daemon
labels:
{{- include "sriov-network-operator.labels" . | nindent 4 }}
roleRef:
kind: ClusterRole
name: sriov-network-config-daemon
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
namespace: {{ .Release.Namespace }}
name: sriov-network-config-daemon

87
charts/rancher-sriov/sriov/100.0.1+up0.1.0/templates/operator.yaml Normal file
View File

@ -0,0 +1,87 @@
{{- if not (.Capabilities.APIVersions.Has "k8s.cni.cncf.io/v1/NetworkAttachmentDefinition") -}}
{{- required "rke2-multus is required but not found" "" -}}
{{- end -}}
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovOperatorConfig
metadata:
name: default
namespace: {{ .Release.Namespace }}
spec:
# Add fields here
enableInjector: {{ .Values.operator.enableAdmissionController }}
enableOperatorWebhook: {{ .Values.operator.enableAdmissionController }}
configDaemonNodeSelector: {feature.node.kubernetes.io/network-sriov.capable: "true"}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "sriov-network-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "sriov-network-operator.labels" . | nindent 4 }}
spec:
replicas: 1
selector:
matchLabels:
name: sriov-network-operator
template:
metadata:
labels:
name: sriov-network-operator
spec:
{{- with .Values.operator.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.operator.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "sriov-network-operator.fullname" . }}
containers:
- name: {{ include "sriov-network-operator.fullname" . }}
image: {{ include "system_default_registry" . }}{{ .Values.images.operator.image }}:{{ .Values.images.operator.tag }}
command:
- sriov-network-operator
imagePullPolicy: IfNotPresent
env:
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SRIOV_CNI_IMAGE
value: {{ include "system_default_registry" . }}{{ .Values.images.sriovCni.image }}:{{ .Values.images.sriovCni.tag }}
- name: SRIOV_INFINIBAND_CNI_IMAGE
value: {{ include "system_default_registry" . }}{{ .Values.images.ibSriovCni.image }}:{{ .Values.images.ibSriovCni.tag }}
- name: SRIOV_DEVICE_PLUGIN_IMAGE
value: {{ include "system_default_registry" . }}{{ .Values.images.sriovDevicePlugin.image }}:{{ .Values.images.sriovDevicePlugin.tag }}
- name: NETWORK_RESOURCES_INJECTOR_IMAGE
value: {{ include "system_default_registry" . }}{{ .Values.images.resourcesInjector.image }}:{{ .Values.images.resourcesInjector.tag }}
- name: OPERATOR_NAME
value: sriov-network-operator
- name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE
value: {{ include "system_default_registry" . }}{{ .Values.images.sriovConfigDaemon.image }}:{{ .Values.images.sriovConfigDaemon.tag }}
- name: SRIOV_NETWORK_WEBHOOK_IMAGE
value: {{ include "system_default_registry" . }}{{ .Values.images.webhook.image }}:{{ .Values.images.webhook.tag }}
- name: RESOURCE_PREFIX
value: {{ .Values.operator.resourcePrefix }}
- name: ENABLE_ADMISSION_CONTROLLER
value: {{ .Values.operator.enableAdmissionController | quote }}
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: RELEASE_VERSION
value: {{ .Release.AppVersion }}
- name: SRIOV_CNI_BIN_PATH
value: {{ .Values.operator.cniBinPath }}
{{- if .Values.operator.enableAdmissionController }}
{{- if not .Values.cert_manager }}
- name: WEBHOOK_CA_BUNDLE
value: "{{ include "sriov_operator_ca_cert" . }}"
{{- end }}
{{- end }}

111
charts/rancher-sriov/sriov/100.0.1+up0.1.0/templates/role.yaml Normal file
View File

@ -0,0 +1,111 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: {{ include "sriov-network-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "sriov-network-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- apps
resourceNames:
- sriov-network-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- serviceaccounts
- roles
- rolebindings
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: sriov-network-config-daemon
namespace: {{ .Release.Namespace }}
labels:
{{- include "sriov-network-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- '*'
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- '*'
- apiGroups:
- sriovnetwork.openshift.io
resources:
- '*'
- sriovnetworknodestates
verbs:
- '*'
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: operator-webhook-sa
namespace: {{ .Release.Namespace }}
labels:
{{- include "sriov-network-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get

44
charts/rancher-sriov/sriov/100.0.1+up0.1.0/templates/rolebinding.yaml Normal file
View File

@ -0,0 +1,44 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "sriov-network-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "sriov-network-operator.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ include "sriov-network-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: {{ include "sriov-network-operator.fullname" . }}
apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sriov-network-config-daemon
namespace: {{ .Release.Namespace }}
labels:
{{- include "sriov-network-operator.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: sriov-network-config-daemon
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: sriov-network-config-daemon
apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: operator-webhook-sa
namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: operator-webhook-sa
roleRef:
kind: Role
name: operator-webhook-sa
apiGroup: rbac.authorization.k8s.io

20
charts/rancher-sriov/sriov/100.0.1+up0.1.0/templates/secrets.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if not .Values.cert_manager -}}
{{- if .Values.operator.enableAdmissionController }}
apiVersion: v1
kind: Secret
metadata:
name: operator-webhook-service
namespace: {{ .Release.Namespace }}
data: {{ include "sriov_operator_cert" . | nindent 2 }}
{{- end }}
---
{{- if .Values.operator.enableAdmissionController }}
apiVersion: v1
kind: Secret
metadata:
name: network-resources-injector-secret
namespace: {{ .Release.Namespace }}
data: {{ include "sriov_resource_injector_cert" . | nindent 2 }}
{{- end }}
{{- end }}

15
charts/rancher-sriov/sriov/100.0.1+up0.1.0/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "sriov-network-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "sriov-network-operator.labels" . | nindent 4 }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sriov-network-config-daemon
namespace: {{ .Release.Namespace }}
labels:
{{- include "sriov-network-operator.labels" . | nindent 4 }}

18
charts/rancher-sriov/sriov/100.0.1+up0.1.0/templates/validate-install-crd.yaml Normal file
View File

@ -0,0 +1,18 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "sriovnetwork.openshift.io/v1/SriovIBNetwork" false -}}
# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkNodePolicy" false -}}
# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkNodeState" false -}}
# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetwork" false -}}
# {{- set $found "sriovnetwork.openshift.io/v1/SriovOperatorConfig" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}

57
charts/rancher-sriov/sriov/100.0.1+up0.1.0/values.yaml Normal file
View File

@ -0,0 +1,57 @@
operator:
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/etcd
operator: Exists
- effect: NoSchedule
key: cattle.io/os
operator: Equal
value: linux
nodeSelector:
node-role.kubernetes.io/control-plane: "true"
nameOverride: ""
fullnameOverride: ""
resourcePrefix: "rancher.io"
enableAdmissionController: false
cniBinPath: "/opt/cni/bin"
clusterType: "kubernetes"
# Image URIs for sriov-network-operator components
images:
operator:
image: rancher/hardened-sriov-network-operator
tag: v1.0.0-build20210429
sriovConfigDaemon:
image: rancher/hardened-sriov-network-config-daemon
tag: v1.0.0-build20210429
sriovCni:
image: rancher/hardened-sriov-cni
tag: v2.6-build20210310
ibSriovCni:
image: rancher/hardened-ib-sriov-cni
tag: v1.0.0-build20210310
sriovDevicePlugin:
image: rancher/hardened-sriov-network-device-plugin
tag: v3.3.1-build20210310
resourcesInjector:
image: rancher/hardened-sriov-network-resources-injector
tag: v1-build20210310
webhook:
image: rancher/hardened-sriov-network-webhook
tag: v1.0.0-build20210429
# cert_manager enables integration with cert-manager to generate
# certificates for the operator webhooks. Otherwise the chart will
# generate ad-hoc certificates with no automated renewal at expiration,
# not recommended for production clusters.
cert_manager: false
global:
cattle:
systemDefaultRegistry: ""
rbac:
userRoles:
aggregateToDefaultRoles: false

14
charts/system-upgrade-controller/system-upgrade-controller/100.0.2+up0.3.2/Chart.yaml Normal file
View File

@ -0,0 +1,14 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-system
catalog.cattle.io/os: linux
catalog.cattle.io/release-name: system-upgrade-controller
apiVersion: v1
appVersion: v0.8.0
description: General purpose controller to make system level updates to nodes
home: https://github.com/rancher/system-charts/blob/dev-v2.6/charts/rancher-k3s-upgrader
name: system-upgrade-controller
sources:
- https://github.com/rancher/system-charts/blob/dev-v2.6/charts/rancher-k3s-upgrader
version: 100.0.2+up0.3.2

9
charts/system-upgrade-controller/system-upgrade-controller/100.0.2+up0.3.2/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,9 @@
{{/* vim: set filetype=mustache: */}}
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}

12
charts/system-upgrade-controller/system-upgrade-controller/100.0.2+up0.3.2/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system-upgrade-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: system-upgrade-controller
namespace: cattle-system

16
charts/system-upgrade-controller/system-upgrade-controller/100.0.2+up0.3.2/templates/configmap.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: system-upgrade-controller-config
namespace: cattle-system
data:
SYSTEM_UPGRADE_CONTROLLER_DEBUG: {{ .Values.systemUpgradeControllerDebug | default "false" | quote }}
SYSTEM_UPGRADE_CONTROLLER_THREADS: {{ .Values.systemUpgradeControllerThreads | default "2" | quote }}
SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: {{ .Values.systemUpgradeJobActiveDeadlineSeconds | default "900" | quote }}
SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: {{ .Values.systemUpgradeJobBackoffLimit | default "99" | quote }}
SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: {{ .Values.systemUpgradeJobImagePullPolicy | default "IfNotPresent" | quote }}
SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: {{ template "system_default_registry" . }}{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}
SYSTEM_UPGRADE_JOB_PRIVILEGED: {{ .Values.systemUpgradeJobPrivileged | default "true" | quote }}
SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: {{ .Values.systemUpgradeJobTTLSecondsAfterFinish | default "900" | quote }}
SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: {{ .Values.systemUpgradePlanRollingInterval | default "15m" | quote }}

62
charts/system-upgrade-controller/system-upgrade-controller/100.0.2+up0.3.2/templates/deployment.yaml Normal file
View File

@ -0,0 +1,62 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: system-upgrade-controller
namespace: cattle-system
spec:
selector:
matchLabels:
upgrade.cattle.io/controller: system-upgrade-controller
template:
metadata:
labels:
upgrade.cattle.io/controller: system-upgrade-controller # necessary to avoid drain
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: In
values:
- "true"
weight: 100
- preference:
matchExpressions:
- key: node-role.kubernetes.io/master
operator: In
values:
- "true"
weight: 100
tolerations:
- operator: Exists
serviceAccountName: system-upgrade-controller
containers:
- name: system-upgrade-controller
image: {{ template "system_default_registry" . }}{{ .Values.systemUpgradeController.image.repository }}:{{ .Values.systemUpgradeController.image.tag }}
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: system-upgrade-controller-config
env:
- name: SYSTEM_UPGRADE_CONTROLLER_NAME
valueFrom:
fieldRef:
fieldPath: metadata.labels['upgrade.cattle.io/controller']
- name: SYSTEM_UPGRADE_CONTROLLER_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: etc-ssl
mountPath: /etc/ssl
- name: tmp
mountPath: /tmp
volumes:
- name: etc-ssl
hostPath:
path: /etc/ssl
type: Directory
- name: tmp
emptyDir: {}

5
charts/system-upgrade-controller/system-upgrade-controller/100.0.2+up0.3.2/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: system-upgrade-controller
namespace: cattle-system

13
charts/system-upgrade-controller/system-upgrade-controller/100.0.2+up0.3.2/values.yaml Normal file
View File

@ -0,0 +1,13 @@
global:
cattle:
systemDefaultRegistry: ""
systemUpgradeController:
image:
repository: rancher/system-upgrade-controller
tag: v0.8.0
kubectl:
image:
repository: rancher/kubectl
tag: v1.20.2

73
index.yaml
View File

@ -1991,12 +1991,11 @@ entries:
catalog.cattle.io/release-name: rancher-external-ip-webhook
catalog.cattle.io/ui-component: rancher-external-ip-webhook
apiVersion: v1
appVersion: v1.0.1-rc2
created: "2021-11-19T09:57:30.062534749-08:00"
appVersion: v1.0.1-rc3
created: "2021-11-19T13:01:55.824818854-08:00"
description: |
Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554
digest: 0afa3e9af81ae240c9e53e9adf45e188fdd68b42b7ccf31385ecbd49af0c2ced
home: https://github.com/rancher/externalip-webhook
digest: 6439d85f0e2cc7d7ec98f411ab2c6940ecd90be47ca86c69da1894d0672f64f0
keywords:
- cve
- externalip
@ -2010,8 +2009,8 @@ entries:
sources:
- https://github.com/rancher/externalip-webhook
urls:
- assets/rancher-external-ip-webhook/rancher-external-ip-webhook-100.0.1+up1.0.1-rc2.tgz
version: 100.0.1+up1.0.1-rc2
- assets/rancher-external-ip-webhook/rancher-external-ip-webhook-100.0.1+up1.0.1-rc3.tgz
version: 100.0.1+up1.0.1-rc3
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: External IP Webhook
@ -5820,6 +5819,35 @@ entries:
- assets/rio/rio-0.8.000.tgz
version: 0.8.000
sriov:
- annotations:
catalog.cattle.io/auto-install: sriov-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/experimental: "true"
catalog.cattle.io/namespace: cattle-sriov-system
catalog.cattle.io/os: linux
catalog.cattle.io/release-name: sriov
apiVersion: v2
appVersion: 1.0.0
created: "2021-11-19T11:49:26.033710053-08:00"
description: SR-IOV network operator configures and manages SR-IOV networks in
the kubernetes cluster
digest: 6d61497adfa17683860eaf7fcb0ac7a72862c5c818d9a8c364cb5dfe9ba3a788
home: https://github.com/k8snetworkplumbingwg/sriov-network-operator
icon: https://charts.rancher.io/assets/logos/sr-iov.svg
keywords:
- sriov
- Networking
kubeVersion: '>= 1.16.0-0'
maintainers:
- email: charts@rancher.com
name: Rancher Labs
name: sriov
sources:
- https://github.com/rancher/charts
type: application
urls:
- assets/rancher-sriov/sriov-100.0.1+up0.1.0.tgz
version: 100.0.1+up0.1.0
- annotations:
catalog.cattle.io/auto-install: sriov-crd=match
catalog.cattle.io/certified: rancher
@ -5850,6 +5878,21 @@ entries:
- assets/rancher-sriov/sriov-100.0.0+up0.1.0.tgz
version: 100.0.0+up0.1.0
sriov-crd:
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/experimental: "true"
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-sriov-system
catalog.cattle.io/release-name: sriov-crd
apiVersion: v2
created: "2021-11-19T11:49:26.035005876-08:00"
description: Installs the CRDs for rke2-sriov.
digest: 079427f8edeeda16015c69e1c1660e586fa79c37e1723ecbee71d4998523042b
name: sriov-crd
type: application
urls:
- assets/rancher-sriov/sriov-crd-100.0.1+up0.1.0.tgz
version: 100.0.1+up0.1.0
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/experimental: "true"
@ -5866,6 +5909,24 @@ entries:
- assets/rancher-sriov/sriov-crd-100.0.0+up0.1.0.tgz
version: 100.0.0+up0.1.0
system-upgrade-controller:
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-system
catalog.cattle.io/os: linux
catalog.cattle.io/release-name: system-upgrade-controller
apiVersion: v1
appVersion: v0.8.0
created: "2021-11-19T12:57:09.370125531-08:00"
description: General purpose controller to make system level updates to nodes
digest: 74f564bdd16795ee1eea785a6935e339a9aa87663a76b56bbb70063bf7f74c8b
home: https://github.com/rancher/system-charts/blob/dev-v2.6/charts/rancher-k3s-upgrader
name: system-upgrade-controller
sources:
- https://github.com/rancher/system-charts/blob/dev-v2.6/charts/rancher-k3s-upgrader
urls:
- assets/system-upgrade-controller/system-upgrade-controller-100.0.2+up0.3.2.tgz
version: 100.0.2+up0.3.2
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"

4
packages/rancher-external-ip-webhook/generated-changes/patch/Chart.yaml.patch
View File

@ -9,7 +9,7 @@
+ catalog.cattle.io/release-name: rancher-external-ip-webhook
+ catalog.cattle.io/ui-component: rancher-external-ip-webhook
apiVersion: v1
appVersion: v1.0.1-rc2
appVersion: v1.0.1-rc3
description: |
- Deploy the externalip-webhook to mitigate k8s CVE-2020-8554
+ Deploy the external-ip-webhook to mitigate k8s CVE-2020-8554
@ -24,4 +24,4 @@
+name: rancher-external-ip-webhook
sources:
- https://github.com/rancher/externalip-webhook
version: 1.0.1-rc2
version: 1.0.1-rc3

2
packages/rancher-external-ip-webhook/package.yaml
View File

@ -1,2 +1,2 @@
url: https://github.com/rancher/externalip-webhook/releases/download/v1.0.1-rc2/rancher-externalip-webhook-1.0.1-rc2.tgz
url: https://github.com/rancher/externalip-webhook/releases/download/v1.0.1-rc3/rancher-externalip-webhook-1.0.1-rc3.tgz
version: 100.0.1

2
packages/rancher-sriov/generated-changes/patch/templates/_helpers.tpl.patch
View File

@ -6,7 +6,7 @@
{{- end }}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.systemDefaultRegistry -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}

2
packages/rancher-sriov/package.yaml
View File

@ -1,7 +1,7 @@
url: https://github.com/k8snetworkplumbingwg/sriov-network-operator.git
subdirectory: deployment/sriov-network-operator
commit: c5c943cc214f4113b6f6be8d7c48ac837aa1669c
version: 100.0.0
version: 100.0.1
additionalCharts:
- workingDir: charts-crd
crdOptions:

2
packages/system-upgrade-controller/generated-changes/patch/Chart.yaml.patch
View File

@ -10,7 +10,7 @@
home: https://github.com/rancher/system-charts/blob/dev-v2.6/charts/rancher-k3s-upgrader
sources:
- "https://github.com/rancher/system-charts/blob/dev-v2.6/charts/rancher-k3s-upgrader"
version: 0.3.1
version: 0.3.2
appVersion: v0.8.0
+annotations:
+ catalog.cattle.io/certified: rancher

6
packages/system-upgrade-controller/package.yaml
View File

@ -1,4 +1,4 @@
url: https://github.com/rancher/system-charts.git
subdirectory: charts/rancher-k3s-upgrader/0.3.1
commit: 43ca7c9954d03c6334cdf307d4097e4c3ac5fd02
version: 100.0.1
subdirectory: charts/rancher-k3s-upgrader/0.3.2
commit: e487b1e7e629d57518dcc950fef18ad53c8bfad0
version: 100.0.2